+++ This bug was initially created as a clone of Bug #1756454 +++ +++ This bug was initially created as a clone of Bug #1756453 +++ Users are allowed (and in pre-prod environments, encouraged) to upgrade clusters to versions that may not be in a stable channel. In addition, between minor versions of the product (4.1 and 4.2) edges may not be created in the stable channel, but we want users to try it out. To try that out today requires `oc adm upgrade --force` which bypasses signature verification and introduces a security risk. The CLI really should not force that choice on users, and in 4.3 we anticipate adding additional checks that have nothing to do with that behavior. For 4.1 and 4.2 we should split the --force flag in oc adm upgrade to only apply to server override, and use more specific flags for client side override (--allow-explicit-upgrade for using --to-image, and --allow-unsafe-upgrade for bypassing cluster version failure and upgrade in progress).
Version: 4.1.0-0.nightly-2019-10-23-020857 # ./oc version Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.21-201910221726+974fd4f-dirty", GitCommit:"974fd4f", GitTreeState:"dirty", BuildDate:"2019-10-22T22:57:09Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"} ### check for --allow-explicit-upgrade 1) install 4.1.20 2) upgrade to a payload not in available update # ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-23-020857 --force error: The requested upgrade image is not one of the available updates, you must pass --allow-explicit-upgrade to continue 3) add required variable # ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-23-020857 --force --allow-explicit-upgrade Updating to release image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-23-020857 # ./oc adm upgrade info: An upgrade is in progress. Working towards 4.1.0-0.nightly-2019-10-23-020857: 13% complete No updates available. You may force an upgrade to a specific release image, but doing so may not be supported and result in downtime or data loss. ### check for --allow-upgrade-with-warnings 1) continue to do another upgrade when there is an upgrade ongoing # ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-22-071247 --allow-explicit-upgrade error: Already upgrading, pass --allow-upgrade-with-warnings to override. Reason: Message: Working towards 4.1.0-0.nightly-2019-10-23-020857: 24% complete 2) add required variable # ./oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-22-071247 --allow-explicit-upgrade --allow-upgrade-with-warnings Updating to release image registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-10-22-071247
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3152